IEZoneAnalyzer v3.5 with Zone Map Viewer

IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings – that is, the configuration settings that grant web sites in the Intranet zone more capabilities in the browser than web sites in the Internet zone. Earlier today, I wrote about the surprisingly complex rules that determine whether and when explicit mappings of websites to security zones take effect or are ignored. IEZoneAnalyzer version 3.5 adds a Zone Map Viewer that shows which web sites have been specifically assigned to security zones and whether the assignment is effective. Click on the “Zone Map Viewer” button in the main dialog’s toolbar to display the Zone Map Viewer. You can toggle the Zone Map Viewer between an “Effective Settings” view and a “Raw Settings” view with labeled toolbar buttons.

“Effective Settings” lists the configured web sites and the zones to which they are mapped. The Comments column calls out settings that are applicable only to 32-bit processes or only to 64-bit processes, or that are completely overridden and never take effect. For example, the first screenshot below shows a number of site assignments to Trusted Sites that are overridden because they are defined in User Preferences, but overridden both because the “use only machine settings” group policy is in effect and because a Computer Configuration Site-To-Zone Assignment policy is in effect. The screenshot also shows two overridden settings that are in effect only when Enhanced Security Configuration (ESC) is enabled, which is not the case as shown by the informational lines at the top of the listing. A given site is listed only once in the Effective Settings view. If a site is mapped the exact same way in a registry location that is in effect and in another that is not in use, the “overridden” one is not shown. That is, a setting is shown as “overridden” only if is defined somewhere differently from what is actually in effect.

The “Raw Settings” view, shown below, shows all site-to-zone configuration settings, listing where they are defined, the zone each is assigned to, and whether that particular setting is in effect or ignored. Both views show the criteria that are used to determine which ZoneMap settings are in effect and which are ignored (per the rules listed in the Appendix.)

As with all other IEZoneAnalyzer views, columns can be sorted, resized and reordered; content can be searched for specific text, copied to the clipboard and exported to CSV and to Excel files. Further, the sort order for the “Website” columns is based on domain names rather than on a strict alphabetic order. For example, all the “microsoft.com” mappings are grouped together, alphabetized by subdomains in reverse order.

[Updated 14-Oct-2011: Posted v3.5.0.3 to fix a bug, and to change the text associated with URL Action 180C which ended up not being used by Windows or IE.]

[Updated 7-June-2012: Re-posted v3.5.0.4 with the documentation back in! Sorry about that.]

[Updated 20-June-2013: Posted v3.5.0.5: fixes version reporting issue with IE10, added text for additional settings, and added sample files back in, including a new one reporting default settings for IE10 on Win8 x64. It also includes an IEZoneAnalyzer.exe.config file; keep this file in the same directory with IEZoneAnalyzer.exe if you want it to run on a system that has .NET 4.0 but doesn't have .NET 3.5]

Version 3.5.0.3 shows wildcards incorrectly? For a trusted zone assignment from a Machine source set by a GPO, the protocol wildcard displays properly in the zone map viewer but the wildcard is omitted for sub domains. For example, in the "GPO:/Computer
Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List", the trusted zone assignment *://*.domain.local is created. The local registry entries show

while the same assignment of a User Preferences source made as a preference from a "GPO:/User Configuration/Policies/Windows Settings/Internet Explorer Maintenance/Security/Security Zones and Content Ratings/Trusted sites (Security Level: Medium)/Sites/Sites
in this zone" shows *://*.domain.local

What gives? Is this a bug? Thanks for all the great tools Aaron!

[Aaron Margosis – 15-May-2012] Finally got some time to dig into this. As far as I can tell, IEZoneAnalyzer is working correctly. Remember that the values under ZoneMapKey don’t matter, only the values under ZoneMap. Where you see something like
a key named "domain.local" containing a value "*" associated with data "1", the "*" means "all protocols", not "all subdomains". Try creating an assignment forhttps://*.domain.local, and you’ll see the value "https" appear in the registry instead of "*", meaning that the assignment applies to the domain only for thehttps protocol. Apparently "*" as a subdomain gets dropped.

While working on compiling the data for our IE9 GPOs, I found what may be a bug with the IEZoneAnalyzer, but I can’t be sure.

I ran IEZoneAnalyzer on a Win7 32bit machine with IE8 and IE8 Group Policies. I compared the values reported by IEZoneAnalyzer vs. what the IE8 GPO has configured. Everything looked great except for the policy "Turn Off First-Run Opt-In" (ID 1208).

According to IEZoneAnalyzer the policy is set to – Enabled

According to our GPO, the policy is set to – Enabled : Disabled

Based on your previous response regarding primary settings and option settings, shouldn’t the policy show up as "Disabled" in the IEZoneAnalyzer?

I am not too worried about it, but I wanted to let you know in case the tools is interpretting the policy value incorrectly. It’s more likely that I am off my rocker and just don’t know how to use the tool.

Thanks for a great tool! I use it all the time.

P.S. You wouldn’t happen to know if there is a list of all the default policy settings that IE8 and IE9 install with? I have been trying to find this information, but nobody seems to have it. Seems odd that MS wouldn’t have that documented somewhere.

[Aaron Margosis – 15-May-2012] Finally got some time to dig into this. As far as I can tell, IEZoneAnalyzer is working correctly. I opened gpedit.msc and set a bunch of Internet zone settings (including 1208 as you mentioned) to Enabled:Enable and
then to Enabled:Disable. IEZoneAnalyzer correctly reported "Enable" or "Disable" accordingly. This is just one of those areas of Group Policy that’s a little confusing, where you establish a policy by choosing Enabled and then choosing the desired setting
for that policy (Enable or Disable). Choosing Disabled removes the policy and actively deletes the corresponding registry value, so that the program (IE in this case) reverts to the Preferences values. (Make sense?)

When you say "all the default policy settings that IE8 and IE9 install with", do you mean the list of policies that are available, or the default settings for IE8/9? Policies are not applied by default.

When comparing between settings (same browser, same OS, different users on identical but different machines) what do the grayed out areas mean for one user?

This is a useful tool, but lacks some explanation to the output.

Where are "Machine Preferences" set? In IE Security tab or somewhere else?

[Aaron Margosis] OOPS! The last time I updated the program I forgot to include the extensive documentation I had written for it! I’ll upload that shortly. In the meantime, gray in a cell means that no setting is defined for that entry.

Interesting, as I have a whole set of grayed out cells on my machine where the user has cells set, but when I look in the IE settings on mine they match what the user has set (in my IE Zone Analyzer V3.5.0.4) export of his machine.

Are "Machine" preferences the same as "Computer" preferences by a different name?

[Aaron Margosis] Yes, "Machine" == "Computer". On a vanilla system, recent IE versions have most settings defined in Machine Preferences rather than User. If you open the security settings dialog, settings will get written into the User side. Most
important, though, are "effective settings". See the previous link for the precedence order.

The precedence link is great info, I saw that or a version of it yesterday.

Our machines are 32 bit (not 64) XP SP3 with IE8. I’m trying to figure out why a particular user has some web pages (intranet, and perhaps internet) with red X picture placeholders. The Admin user on the user’s machine shows the page fine indicating it’s
a user setting, so I downloaded your wonderful program to see which one might cause the problem (although it may be a combination). Compatability mode isn’t indicated (although this web page, blogs.technet, shows it, so IE is detecting it).

Shouldn’t changing a user preference setting be reflected in the registry, esp after exiting & restarting IE? (Or do I have to exit and restart regedit too?) I’m not even seeing the change in IE Zone Analyzer. Granted my setting is grayed out, but shouldn’t
setting it to a non-inherited setting cause it to be un-grayed out? (Currently I’m playing with User Preferences Trusted Sites 1208 Allow previously unused ActiveX controls to run without prompt Me: <grayed out> User: Enable. There are 32 differences in all.)

I may also be barking up the wrong tree for the solution.

[Aaron Margosis] Compatibility mode can be set differently on a page-by-page basis, depending on factors such as whether the page has an X-UA-Compatible tag, whether it’s in the Intranet zone, what the Compatibility mode settings and policies are, and
more. The easiest way to check is to use the F12 Developer Tools, which have been built into the last few versions of IE.

Setting changes in the registry might require restarting IE, but not usually, from what I’ve seen. To pick registry changes up in IEZoneAnalyzer, choose File | Refresh local settings. Any settings you have added to lists of sets/settings
to compare then need to be cleared out and re-added to pick up the changes.

Another thought: It may be a permissions issue on the server if Windows authentication is part of the picture.

Is there a way to change the defualt URL when the program starts (ie: possibly via the config file). I would like to use this as a support tool and it would be easier if it pointed to our website by default rather than http://www.microsoft.com.

Great tool by the way and thanks for creating it.

[Aaron Margosis] Not at this time, sorry. I’ll consider adding it the next time I update it. Thanks.

Whoops – forgot to add I get the error when selecting Zone Map Viewer button only.

[Aaron Margosis] Thanks, yes, I’d like to take a look at this. If you could please capture aProcess Monitor trace of the error occurring, that would be great. After you capture the trace, set the filter to show only events belonging to IEZoneAnalyzer.exe, save in native Procmon
format (PML) with "events displayed using current filter" and uncheck "profiling events." Compress to a zip file, come back to this page, click "Email blog author" and we’ll trade email. Thanks again.

Thank you for maintaining this tool and updating it for IE10. Over the years, it has been very valuable when deflecting the persistent developer myth that there is some mysterious IE setting that prevents their app from working. I personally have yet to encounter a vendor or developer who has actually found an offensive USGCB or GPO setting using this tool — instead, I stay out from underneath their bus and they discover a "training opportunity".

Only negative is that it doesn’t appear to honour the automatically detect Intranet site settings. E.g. if you have a site listed in a PAC / WPAD as DIRECT to bypass the proxy then IE seems to treat it as Intranet, even if you specify it as a Trusted Site.
The tool doesn’t reflect this leading to the wrong answer.

I am also getting "Unhandled exception has occurred…" "An entry with the same key already exists." when I try to run the Zone Map Viewer. Was this ever resolved? I’m on Windows 7 with IE 9.

[Aaron Margosis] I don’t think anyone ever followed up with data to resolve this. Please capture aProcess Monitor trace of the error occurring. After you capture the trace, set the filter to show only events belonging to IEZoneAnalyzer.exe,
save in native Procmon format (PML) with "events displayed using current filter" and uncheck "profiling events." Compress to a zip file, come back to this page, click "Email blog author" and we’ll trade email. Thanks.

From what I can tell, it appears that IE Zone Analyzer incorrectly reports the setting of 120B. The ADMX file lists 0 for DISABLE and 3 for ENABLE on this one setting (the opposite of other settings.) Can someone confirm my finding?

I also have the ZoneMapViewer – Unhandled Exception – An entry with the same key already exists

In my case this is because I have the following two entries in ZoneMap/Domains (HKCU or HKLM or both and where names have been changed to simplify the typing). I think these are put there programmatically by Group Policy so not entered via the IE GUI.

-ZoneMap
– Domains
– ab.cde.com

and

ZoneMap
– Domains
– cde.com
– ab

These evaluate to the same website (both are https) and hence I guess to the same entry in whatever data structure is used internally in IEZoneAnalyzer.

I just removed one of the 'duplicate' entries wherever it existed in HKLM and HKCU and I got the ZoneMap table appearing.

@tviki: Well, yes and no. The Group Policy setting is “Turn off .NET Framework Setup”, with Enable=3 and Disable=0, and the Internet Properties (inetcpl.cpl) text is “Enable .NET Framework Setup”, with Enable=0 and Disable=3. I don’t know where the label “Disable .NET Framework setup” came from – perhaps from the Vista timeframe when I first started working on this.